How did Android fare in the November Security Bulletin? It may come as no surprise to learn that our old friend the Mediaserver has returned with a critical vulnerability. We also see some new entries in the mix. Let's dive in and see what's what.

Check your security release

Before we highlight what's included with the November 2016 Android Security Bulletin, it's always good to know what security release your device has installed.

Of the Android devices I use regularly, the Verizon-branded Nexus 6 running Android 7.0 is one update behind, with the October 2016 security update, and the OnePlus 3 running Android 6.0.1 is still stuck on the September 2016 security update. Nexus devices, as well as the new Pixel phones, will always be ahead of the curve for the security patches, and the OnePlus 3 has been discontinued so updates may be much slower to arrive.

To find out which security release is installed on your device, open Settings, scroll down and tap About Phone, and then look for Android Security Patch Level (Figure A). If you see an older security patch level, fret not...a new one will appear in an update soon.

And there it is...the Mediaserver is back in the spotlight. As with nearly every previous Mediaserver vulnerability, this issue could enable an attacker to use a specially crafted file in order to cause memory corruption during media file and data processing. Because of the possibility of remote code execution within the context of the Mediaserver process, this vulnerability is rated as Critical.

This vulnerability affects libzipfile, and it could enable a local malicious application to execute arbitrary code within the context of a privileged process. If a device is compromised by this vulnerability, a reflashing of the operating system may be required.

Related bug: A-30916186

High issues

The number of vulnerabilities rated as High increased for the month of November. The following issues are included in this list.

Remote code execution vulnerability in Skia

Skia serves as the graphics engine for Android. A remote code execution vulnerability has been discovered that could enable an attacker to use a malicious file to cause memory corruption during media file processing. Due to the possibility of remote code execution within the context of the gallery process, this issue is rated as High.

Another issue found in the graphics processing is that libskia suffers from a vulnerability that makes use of libjpeg and could enable an attacker to use a specially crafted file to execute arbitrary code in the context of an unprivileged process. Due to the possibility of remote code execution, this issue is rated as High.

Related bug: A-30259087

Remote code execution vulnerability in Android runtime

The Android runtime library suffers from a vulnerability that could enable an attacker using a malicious payload to execute arbitrary code in the context of an unprivileged process. Due to the possibility of remote code execution within an application that uses the Android runtime, this vulnerability is rated as High.

Related bug: A-30765246

Elevation of privilege vulnerability in Mediaserver

The Mediaserver is back again with a few bugs (each rated as High) that can cause an unwanted elevation of privilege. These bugs depend upon a locally installed malicious application that can execute arbitrary code within the context of a privileged process. Due to the chance of gaining local access to elevated capabilities (which are not normally accessible to third-party applications), this issue is rated as High.

The System UI has been found to contain a vulnerability that could enable a malicious user to bypass the security prompt; this can only happen in a work profile when using Android in Multi-Window mode. Because of the possibility of a local bypass of user-interaction requirements for any developer or security setting, this vulnerability is rated as High.

The download manager has been found to be vulnerable in such a way that could enable a local malicious application to bypass protections that isolate data from one application to another. Due to the ability of this issue to gain access to data that an application shouldn't, this issue has been rated as High.

Moderate issues

Elevation of privilege vulnerability in Framework APIs

The Android Framework APIs have been found to contain a vulnerability that could allow a malicious application to record audio without the user's permissions. Due to this issue being able to bypass user interaction requirements, this vulnerability is rated as Moderate.

Sensitive information could be retrieved, without user interaction, thanks to a vulnerability found in the Account Manager Service. Due to the ability of this vulnerability to bypass user interaction requirements, this issue is rated as Moderate.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end user to make sure the fixes find their way to devices. Make sure you not only check for updates, but apply them as soon as they are available.

Related Topics:

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Full Bio

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.